2016-07-25 10:27:16 |
Данило Шеган |
bug |
|
|
added bug |
2016-07-25 10:27:16 |
Данило Шеган |
attachment added |
|
php-gettext_advisory.pdf https://bugs.launchpad.net/bugs/1606184/+attachment/4706987/+files/php-gettext_advisory.pdf |
|
2016-07-25 10:34:04 |
Данило Шеган |
description |
It was assumed that PO and MO files would come from trusted translators, without any attempts to potentially exploit the service being translated. While there was still no case where this has been exploited, we should move to the same parsing logic gettext C library uses:
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.c
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.h
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y
This has been reported by Jean-Marie Bourbon as affecting NagVis, which has since fixed it by commenting out all the plural forms code: https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53
Jean-Marie was also kind enough to start a CVE 2016-6175 for this issue. |
php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().
It was assumed that PO and MO files would come from trusted translators, without any attempts to potentially exploit the service being translated. While there was still no case where this has been exploited, we should move to the same parsing logic gettext C library uses:
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.c
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural-exp.h
* http://git.savannah.gnu.org/cgit/gettext.git/tree/gettext-runtime/intl/plural.y
This has been reported by Jean-Marie Bourbon as affecting NagVis, which has since fixed it by commenting out all the plural forms code: https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53
Jean-Marie was also kind enough to start a CVE 2016-6175 for this issue. |
|
2016-07-25 10:34:20 |
Данило Шеган |
information type |
Private Security |
Public Security |
|
2017-01-17 18:21:49 |
Salvatore Bonaccorso |
cve linked |
|
2016-6175 |
|
2018-07-07 12:39:57 |
Valerio Bozzolan |
bug |
|
|
added subscriber Valerio Bozzolan |
2020-06-18 00:16:40 |
Sunil Mohan Adapa |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851771 |
|
2020-06-18 00:16:40 |
Sunil Mohan Adapa |
attachment added |
|
Use custom parser for parsing plural expressions instead of eval() https://bugs.launchpad.net/php-gettext/+bug/1606184/+attachment/5384872/+files/0001-Use-custom-parser-for-parsing-plural-expressions-ins.patch |
|
2020-06-18 00:17:50 |
Sunil Mohan Adapa |
attachment added |
|
Adopt tests to run recent version of phpunit https://bugs.launchpad.net/php-gettext/+bug/1606184/+attachment/5384873/+files/0002-Adopt-tests-to-run-recent-version-of-phpunit.patch |
|
2020-12-03 02:01:34 |
Sunil Mohan Adapa |
attachment added |
|
Use custom parser for parsing plural expressions instead of eval() https://bugs.launchpad.net/php-gettext/+bug/1606184/+attachment/5440422/+files/0001-Use-custom-parser-for-parsing-plural-expressions-ins.patch |
|
2020-12-03 02:03:11 |
Sunil Mohan Adapa |
attachment removed |
Use custom parser for parsing plural expressions instead of eval() https://bugs.launchpad.net/php-gettext/+bug/1606184/+attachment/5384872/+files/0001-Use-custom-parser-for-parsing-plural-expressions-ins.patch |
|
|